- Proofpoint observes a sophisticated beak attack on water
- The attackers used a compromised messaging account to share polyglot files with their victims
- These files deploy a hidden stolen door against aviation companies
Aviation companies with the United Arab Emirates (Water) have recently been targeted by a very sophisticated electronic compromise (BEC) attack that sought to deploy advanced malware.
Cybersecurity researchers, proofpoint, recently declared that they have observed customers in the country, “with a separate interest in aviation and satellite communication organizations, as well as critical transport infrastructure”, targeted.
The attacks began at the end of 2024, when a threat player nicknamed UNK_CRAFTYCAMEL compromised an Indian electronics company with which aeronautical companies have done business with the past. They used this company’s messaging account to distribute several polyglots files, and using their partner’s messaging account, the attackers have retained a feeling of legitimacy, while trying to deploy malicious software typically toot.
Unknown attackers
The infection chain they were looking for begins with polyglot files – these are files that can work simultaneously like multiple formats, which allows them to escape traditional detection mechanisms. Although somewhat rare, polyglots files have been observed in cyber attacks before, known as proofpoint, especially in the Enmenthaler charger attacks.
Finally, these files lead to the installation of a stolen door based on Go called Sosano, designed to maintain access and execute other malware remotely. The efforts of the attackers to hide the attack did not stop with polyglots files. The size of the stolen door has been inflated in unused Golang libraries, and its execution was delayed, to avoid detection in sand environments.
Proofpoint said Sosano was connected to a distant Bokoreshonline server[.]com to receive orders and potentially download other useful charges.
Although the researchers do not directly connect UNK_CRAFTYCAMEL to the known groups, they note similarities with the actors of the threat aligned by Iran TA451 and TA455, both associated with the body of the Islamic Revolutionary Guard (IRGC).
“The two groups have historically focused on targeting aerospace aligned organizations. In addition, TA451 and UNK_CRAFTYCAMEL have both used HTA files in very targeted campaigns to water; and TA455 and UNK_CRAFTYCAMEL share a preference to approach objectives with business sales offers to business, followed by targeted engineers within the same companies, “said the researchers. “Despite these similarities, Proofpoint evaluates UNK_CRAFTYCAMEL as a distinct group of intrusion activity.”
